Releases: OpenIDC/mod_auth_openidc
release 2.4.16.3
Bugfixes
- fix segfault in child process initialization routine when using Redis and/or Metrics settings in vhosts; closes #1208; thanks @studersi and Brent van Laere
- fix
OIDCCacheShmMax
min/max settings; see #1260; thanks @bbartke - allow overriding globally set
OIDCCacheType
back toshm
in individual vhosts
Commercial
- binary packages for various other platforms such as Microsoft Windows 64bit/32bit, Red Hat Enterprise Linux 6/7, older Ubuntu and Debian distro's, SUSE Linux, Amazon Linux, Oracle HTTP Server 11.1/12.1/12.2, IBM HTTP Server 8/9, and IBM AIX 7.x are available under a commercial agreement via [email protected]
- support for Redis/Valkey over TLS, Redis/Valkey (TLS) Sentinel, and Redis (TLS) Cluster is available under a commercial license via [email protected]
release 2.4.16.2
Note that a custom OIDCCacheShmMax setting cannot be configured with this release.
Bugfixes
- fix regressions from the configuration rewrite in 2.4.16/2.4.16.1
- fix setting
OIDCPKCEMethod none
; closes #1256; thanks @eoliphan - fix disabled
OIDCStateCookiePrefix
command; closes #1254; thanks @damisanet
- fix setting
- re-introduce
OIDCSessionMaxDuration 0
; see #1252; thanks @amitmun - improve resilience in case both
Forwarded
andX-Forwarded-*
headers are configured and onlyX-Forwarded-*
is passed in
Other
- remove support for
OIDCHTMLErrorTemplate
, deprecated since 2.4.14
Commercial
- binary packages for various other platforms such as Microsoft Windows 64bit/32bit, Red Hat Enterprise Linux 6/7, older Ubuntu and Debian distro's, SUSE Linux, Amazon Linux, Oracle HTTP Server 11.1/12.1/12.2, IBM HTTP Server 8/9, and IBM AIX 7.x are available under a commercial agreement via [email protected]
- support for Redis over TLS, Redis (TLS) Sentinel, and Redis (TLS) Cluster is available under a commercial license via [email protected]
release 2.4.16.1
Note that OIDCPKCEMethod none
, OIDCSessionMaxDuration 0
, OIDCCacheShmMax
and OIDCStateCookiePrefix
cannot be used in this release, see: #1256, #1252, #1260 and #1254 respectively.
Security
- disable support for the RSA PKCS v1.5 JWE/JWT encryption algorithm as it is considered insecure due to the Marvin attack; it is removed from libcjose >= 0.6.2.3 as well; see GHSA-6x73-979p-x9jr
Features
- add Relying Party support for the FAPI 2.0 Security Profile (OpenID Financial-grade API v2.0)
- add Relying Party support for RFC 9449 OAuth 2.0 Demonstrating Proof of Possession (DPoP)
configured through theOIDCDPoPMode [off|optional|required]
primitive (dpop_mode
in the.conf
file in multi-OP setups) - add support for RFC 9126 OAuth 2.0 Pushed Authorization Requests
configured throughOIDCProviderPushedAuthorizationRequestEndpoint
andOIDCProviderAuthRequestMethod PAR
- add the
nbf
claim to the Request Object - store the
token_type
in the session and make it available on the info hook together with theaccess_token
- replace multi-provider
.conf
issuer_specific_redirect_uri
boolean withresponse_require_iss
boolean
to require the Provider to pass theiss
value in authorization responses, mitigating the OP mixup attack - return HTTP 502 when refreshing acces token or userinfo fails (default:
502_on_error
) - add support for
OIDCOAuthIntrospectionEndpointKeyPassword
, i.e. to configure a password for accessing the private key file used for OAuth 2.0 token introspection - when an expression is configured for
OIDCUnAuthAction
(i.e. in the 2nd argument), also apply it toOIDCUnAutzAction
so that it can be used to enable step-up authentication for SPAs with non-conformant browsers (some versions of Safari) and in (potentially insecure) iframes; see #1205; thanks @ryanwilliamnicholls
Bugfixes
- allow overriding defined global configuration primitives to their default value on the individual vhost level
- various fixes to applying default config values and disallowing global/vhost primitives in directory scopes
- apply input/boundary checking on all configuration and multi-provider metadata values
- memcache: correct dead server check on
APR_NOTFOUND
; see #1230; thanks @rpluem-vf - tighten up the
aud
claim validation for received ID tokens
Other
- version 2.4.1.6 succesfully runs against the OpenID Certification test suite for the OIDC RP and FAPI2 RP profiles
- packages for the recent Ubuntu Noble stable release are added to the Assets section below
Commercial
- binary packages for various other platforms such as Microsoft Windows 64bit/32bit, Red Hat Enterprise Linux 6/7, older Ubuntu and Debian distro's, SUSE Linux, Amazon Linux, Oracle HTTP Server 11.1/12.1/12.2, IBM HTTP Server 8/9, and IBM AIX 7.x are available under a commercial agreement via [email protected]
- support for Redis over TLS, Redis (TLS) Sentinel, and Redis (TLS) Cluster is available under a commercial license via [email protected]
release 2.4.16
superseded by 2.4.16.1 with a bugfix for parsing OIDCXForwardedHeaders, see: #1250
release 2.4.15.7
The 2.4.15.x releases change a number of default settings to their more secure and standards-compliant values. In rare cases this may break existing configurations which can be restored as described below. Nevertheless it is recommended to update the environment to accommodate to the new defaults.
Bugfixes
- fix
OIDCUserInfoRefreshInterval
and interpret the interval as seconds, not as microseconds (broken in 2.4.15.6)
Commercial
- binary packages for various other platforms such as Microsoft Windows 64bit/32bit, Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7/8 on Power PC (ppc64, ppc64le), older Ubuntu and Debian distro's, Amazon Linux, SUSE Linux,, Oracle HTTP Server 11.1/12.1/12.2, IBM HTTP Server 8/9, and IBM AIX 7.x are available under a commercial agreement via [email protected]
- support for Redis over TLS, Redis (TLS) Sentinel, and Redis (TLS) Cluster is available under a commercial license via [email protected]
release 2.4.15.6
The 2.4.15.x releases change a number of default settings to their more secure and standards-compliant values. In rare cases this may break existing configurations which can be restored as described below. Nevertheless it is recommended to update the environment to accommodate to the new defaults.
Bugfixes
- use
SameSite=Lax
whenOIDCCookieSameSite
isOn
(also the default since 2.4.15) instead ofStrict
as overriding fromLax
toStrict
does not work reliably anymore (i.e. on Chrome with certain plugins) - signed_jwks_url: make the
exp
claim optional in signed JWK sets (OIDCProviderSignedJwksUri
); see #1182; thanks @psteniusubi; ensures interoperability with the OpenID Federation specification - cache: hash the cache key if it is larger than 512 bytes so large cache key entries (i.e. for JWT tokens) are no longer a problem in unencrypted SHM cache configs, i.e. the default shared memory cache setup; see issues/discussions on "
could not construct cache key since key size is too large
" - cache: fix debug printout of cache key in
oidc_cache_get
introduced in 2.4.15 - http: fix applying the default HTTP short retry interval setting and use 300ms as default value
- userinfo: fix setting the
exp
claim in userinfo signed JWTs (exp
would benow+0
) when noexpires_in
is returned by the OpenID Connect Provider - userinfo: fix signed JWT caching (if enabled) when the TTL is set to 0 or "" which should apply the
exp
claim as the cache TTL - refresh: fix for
expires_in
string values returned from the token endpoint that would be interpreted as 0; this fixes usingOIDCRefreshAccessTokenBeforeExpiry
andOIDCUserInfoRefreshInterval
with (older) Azure AD configs that would result in a token refresh on every request since 2.4.15 or a 401 in 2.4.14.4 - authz: fix evaluation of
Require claim
statements for nested array claims - authz: properly handle parse errors in
Require claim <name>:<integer>
statements - fix setting the default PKCE method to
none
in a multi-provider setup
Other
- userinfo refresh: don't try to refresh the access token and retry when a connectivity error has occurred
- logout: don't try to revoke tokens on post-access-token-refresh or post-userinfo-refresh-errors logouts
- (internal) session state: represent timestamps as JSON integers instead of strings, as also returned from the info hook
Features
- signed_jwks_uri: accept verification key set formatted as either JWK or JWKS; see #1191; thanks @psteniusubi
- redis: enable TCP keepalive on Redis connections by default and make it configurable with:
OIDCRedisCacheConnectTimeout <connect-timeout> [0|<keep-alive-interval>]
- proto: accept strings as well as integers in the
expires_in
claim from the token endpoint to cater for non-spec compliant implementations - userinfo: accept
0
inOIDCUserInfoRefreshInterval
which will refresh userinfo on every request - authz: add support for JSON
real
andnull
value matching inRequire claim
statements
Commercial
- binary packages for various other platforms such as Microsoft Windows 64bit/32bit, Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7/8 on Power PC (ppc64, ppc64le), older Ubuntu and Debian distro's, SUSE Linux,, Oracle HTTP Server 11.1/12.1/12.2, IBM HTTP Server 8/9, and IBM AIX 7.x are available under a commercial agreement via [email protected]
- support for Redis over TLS, Redis (TLS) Sentinel, and Redis (TLS) Cluster is available under a commercial license via [email protected]
release 2.4.15.3
The 2.4.15.x releases change a number of default settings to their more secure and standards-compliant values. In rare cases this may break existing configurations which can be restored as described below. Nevertheless it is recommended to update the environment to accommodate to the new defaults.
Security
- fix CVE-2024-24814: prevent DoS when
OIDCSessionType client-cookie
is set and a craftedCookie
header is supplied, see the advisory; thanks @olipo186
Bugfixes
- rewrite handling of parallel refresh token grant requests
- temporarily cache the results of the refresh token grant for other (almost) parallel callers
- fixes handing on the same server, and improves clustered handling through a best-effort distributed cached lock, see: https://github.com/OpenIDC/mod_auth_openidc/wiki/Known-Limitations#parallel-refresh-token-grants
- improves handling of non-rollover refresh tokens since it avoids superfluous calls to the token endpoint
- avoid crash when Forwarded is not present but
OIDCXForwardedHeaders Forwarded
is configured for it; see #1171; thanks @daviddpd - set Redis default retry interval time to 300 milliseconds (instead of 0.5ms) and make it configurable
Commercial
- binary packages for various other platforms such as Microsoft Windows 64bit/32bit, Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7/8 on Power PC (ppc64, ppc64le), older Ubuntu and Debian distro's, SUSE Linux,, Oracle HTTP Server 11.1/12.1/12.2, IBM HTTP Server 8/9, and IBM AIX 7.x are available under a commercial agreement via [email protected]
- support for Redis over TLS, Redis (TLS) Sentinel, and Redis (TLS) Cluster is available under a commercial license via [email protected]
release 2.4.15.2
commercial-binaries-only security patch release for CVE-2024-24814
release 2.4.15.1
The 2.4.15.x releases change a number of default settings to their more secure and standards-compliant values. In rare cases this may break existing configurations which can be restored as described below. Nevertheless it is recommended to update the environment to accommodate to the new defaults.
Bugfixes
- fix Prometheus output overlap and re-organize metric/label naming; closes #1161; see #1162 and #1160; thanks @studersi
- fix
OIDCCacheType file
on Windows and useapr_file_rename()
in file cache backend instead ofrename()
to fix Windows file renaming issue; thanks @adg-mh
Commercial
- binary packages for various other platforms such as Microsoft Windows 64bit/32bit, Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7/8 on Power PC (ppc64, ppc64le), older Ubuntu and Debian distro's, SUSE Linux,, Oracle HTTP Server 11.1/12.1/12.2, IBM HTTP Server 8/9, and IBM AIX 7.x are available under a commercial agreement via [email protected]
- support for Redis over TLS, Redis (TLS) Sentinel, and Redis (TLS) Cluster is available under a commercial license via [email protected]
release 2.4.15
The 2.4.15 release changes a number of default settings to their more secure and standards-compliant values. In rare cases this may break existing configurations which can be restored as described below. Nevertheless it is recommended to update the environment to accommodate to the new defaults.
New Defaults
- use Proof Key for Code Exchange (PKCE S256) by default; disable by configuring
OIDCPKCEMethod none
- use SameSite cookies Strict by default; disable by configuring
OIDCCookieSameSite Off
- apply ISO-8859-1 (
latin1
) as default encoding mechanism for claim values passed in headers and environment variables to comply with https://www.rfc-editor.org/rfc/rfc5987; see #957; useOIDCPassClaimsAs <any> none
for backwards compatibility
Bugfixes
- restore backwards compatibility wrt. allowing parallel refresh token requests by default, and add an option to prevent that (i.e. in case of rolling refresh tokens) using envvar
OIDC_PARALLEL_REFRESH_NOT_ALLOWED
- do not apply
logout_on_error
andauthenticate_on_error
when a parallel refresh token request is detected see #1132; thanks @esunke - fix SSL server certificate validation when revoking tokens and apply
OIDCSSLValidateServer
setting rather thanOIDCOAuthSSLValidateServer
inoidc_revoke_tokens
; see #1141; thanks @mschmidt72 - make sure the shm cache entry size
OIDCCacheShmEntrySizeMax
is a multiple of 8 bytes, see #1067; thanks @sanzinger - fix Redis connnect retries and make it configurable through environment variable
OIDC_REDIS_MAX_TRIES
Features
- add metrics collection/observability capability with
OIDCMetricsData
andOIDCMetricsPublish
, see: https://github.com/OpenIDC/mod_auth_openidc/wiki/Observability - generate or propagate the
traceparent
header on outgoing (and proxied) requests; ties theparent-id
to the (8-byte hash of) the session or access token when available - retry failed outgoing HTTP requests and add options to configure it in
OIDCHTTPTimeoutLong
/OIDCHTTPTimeoutShort
- improve error message in case of curl timeouts
- add capability to seamlessly rollover
OIDCCryptoPassphrase
using a (temporary) 2nd value that holds the previous one - add
iat
andexp
claims to request objects; closes #1137 - populate
User-Agent
header in outgoing HTTP requests with host, port, process-id, mod_auth_openidc, libcurl and OpenSSL version information and log it for debugging purposes
Other
- return HTTP 500 on token refresh errors instead of HTTP 401
- use only the
User-Agent
header as input for the state browser fingerprinting by default (noX-Forwarded-For
) - remove obsolete support for Token Binding https://www.rfc-editor.org/rfc/rfc8471.html (id_token, access_token, session cookie)
- use clang-format-17 for code formatting and reformat all code
Commercial
- binary packages for various other platforms such as Microsoft Windows 64bit/32bit, Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7/8 on Power PC (ppc64, ppc64le), older Ubuntu and Debian distro's, SUSE Linux,, Oracle HTTP Server 11.1/12.1/12.2, IBM HTTP Server 8/9, and IBM AIX 7.x are available under a commercial agreement via [email protected]
- support for Redis over TLS, Redis (TLS) Sentinel, and Redis (TLS) Cluster is available under a commercial license via [email protected]